[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Apr 3 08:13:51 BST 2026
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7f5c5334 by security tracker role at 2026-04-03T07:13:41+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,105 @@
+CVE-2026-5463 (Command injection vulnerability in console.run_module_with_output() in ...)
+ TODO: check
+CVE-2026-5457 (A security flaw has been discovered in PropertyGuru AgentNet Singapore ...)
+ TODO: check
+CVE-2026-5456 (A vulnerability was identified in Align Technology My Invisalign App 3 ...)
+ TODO: check
+CVE-2026-5455 (A vulnerability was determined in Dialogue App up to 4.3.2 on Android. ...)
+ TODO: check
+CVE-2026-5454 (A vulnerability was found in GRID Organiser App up to 1.0.5 on Android ...)
+ TODO: check
+CVE-2026-5453 (A vulnerability has been found in Rico s\xf3 vantagem pra investir App ...)
+ TODO: check
+CVE-2026-5452 (A flaw has been found in UCC CampusConnect App up to 14.3.5 on Android ...)
+ TODO: check
+CVE-2026-5420 (A security flaw has been discovered in Shinrays Games Goods Triple App ...)
+ TODO: check
+CVE-2026-35549 (An issue was discovered in MariaDB Server before 11.4.10, 11.5.x throu ...)
+ TODO: check
+CVE-2026-35545 (An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. ...)
+ TODO: check
+CVE-2026-35544 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35543 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35542 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35541 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35540 (An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insu ...)
+ TODO: check
+CVE-2026-35539 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35538 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35537 (An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. ...)
+ TODO: check
+CVE-2026-35508 (Shynet before 0.14.0 allows XSS in urldisplay and iconify template fil ...)
+ TODO: check
+CVE-2026-35507 (Shynet before 0.14.0 allows Host header injection in the password rese ...)
+ TODO: check
+CVE-2026-35467 (The stored API keys in temporary browser client is not marked as prote ...)
+ TODO: check
+CVE-2026-35466 (XSS vulnerability in cveInterface.js allows for inject HTML to be pass ...)
+ TODO: check
+CVE-2026-35383 (Bentley Systems iTwin Platform exposed a Cesium ion access token in th ...)
+ TODO: check
+CVE-2026-35053 (OneUptime is an open-source monitoring and observability platform. Pri ...)
+ TODO: check
+CVE-2026-34932 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
+ TODO: check
+CVE-2026-34931 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
+ TODO: check
+CVE-2026-34848 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
+ TODO: check
+CVE-2026-34847 (hoppscotch is an open source API development ecosystem. Prior to versi ...)
+ TODO: check
+CVE-2026-34840 (OneUptime is an open-source monitoring and observability platform. Pri ...)
+ TODO: check
+CVE-2026-34838 (Group-Office is an enterprise customer relationship management and gro ...)
+ TODO: check
+CVE-2026-34834 (Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Serv ...)
+ TODO: check
+CVE-2026-34833 (Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Serv ...)
+ TODO: check
+CVE-2026-34832 (Scoold is a Q&A and a knowledge sharing platform for teams. Prior to v ...)
+ TODO: check
+CVE-2026-34825 (NocoBase is an AI-powered no-code/low-code platform for building busin ...)
+ TODO: check
+CVE-2026-34762 (Ella Core is a 5G core designed for private networks. Prior to version ...)
+ TODO: check
+CVE-2026-34761 (Ella Core is a 5G core designed for private networks. Prior to version ...)
+ TODO: check
+CVE-2026-34760 (vLLM is an inference and serving engine for large language models (LLM ...)
+ TODO: check
+CVE-2026-33107 (Server-side request forgery (ssrf) in Azure Databricks allows an unaut ...)
+ TODO: check
+CVE-2026-33105 (Improper authorization in Microsoft Azure Kubernetes Service allows an ...)
+ TODO: check
+CVE-2026-32213 (Improper authorization in Azure AI Foundry allows an unauthorized atta ...)
+ TODO: check
+CVE-2026-32211 (Missing authentication for critical function in Azure MCP Server allow ...)
+ TODO: check
+CVE-2026-32173 (Improper authentication in Azure SRE Agent allows an unauthorized atta ...)
+ TODO: check
+CVE-2026-30252 (Multiple reflected cross-site scripting (XSS) vulnerabilities in the l ...)
+ TODO: check
+CVE-2026-30251 (A reflected cross-site scripting (XSS) vulnerability in the login_newp ...)
+ TODO: check
+CVE-2026-28815 (A remote attacker can supply a short X-Wing HPKE encapsulated key and ...)
+ TODO: check
+CVE-2026-26135 (Server-side request forgery (ssrf) in Azure Custom Locations Resource ...)
+ TODO: check
+CVE-2025-15620 (HiOS Switch Platform versions 09.1.00 prior to 09.4.05 and 10.3.01 con ...)
+ TODO: check
+CVE-2024-14034 (Hirschmann HiEOS devices versions prior to 01.1.00 contain an authenti ...)
+ TODO: check
+CVE-2024-14033 (Hirschmann Industrial IT products (BAT-R, BAT-F, BAT450-F, BAT867-R, B ...)
+ TODO: check
+CVE-2023-7343 (HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contai ...)
+ TODO: check
+CVE-2022-4986 (Hirschmann EagleSDV version 05.4.01 prior to 05.4.02 contains a denial ...)
+ TODO: check
CVE-2026-34090
- mediawiki 1:1.43.8+dfsg-1
[trixie] - mediawiki <not-affected> (Vulnerable code not present)
@@ -22,7 +124,7 @@ CVE-2026-34088
NOTE: https://phabricator.wikimedia.org/T410429
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1265670 (REL1_43)
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1265640 (master)
-CVE-2026-35535 [exec_mailer: Set group as well as uid when running the mailer]
+CVE-2026-35535 (In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid ...)
- sudo <unfixed> (bug #1130593)
[trixie] - sudo <no-dsa> (Minor issue, can be fixed in a point release)
[bookworm] - sudo <no-dsa> (Minor issue, can be fixed in a point release)
@@ -513,7 +615,7 @@ CVE-2024-40858 (A permissions issue was addressed with additional restrictions.
NOT-FOR-US: Apple
CVE-2024-40849 (A race condition was addressed with additional validation. This issue ...)
NOT-FOR-US: Apple
-CVE-2023-7342 (HiSecOS web server contains a privilege escalation vulnerability that ...)
+CVE-2023-7342 (HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privil ...)
TODO: check
CVE-2026-27456 [util-linux: mount(8) TOCTOU symlink attack via loop device]
- util-linux 2.42-1
@@ -1586,66 +1688,87 @@ CVE-2026-34956
NOTE: Fixed by: https://github.com/openvswitch/ovs/commit/a9785c7e1df73fc3dd5f9ca3816a884e63f2f9e0 (v3.7.1)
NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2026-March/431425.html
CVE-2026-5273 (Use after free in CSS in Google Chrome prior to 146.0.7680.178 allowed ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5272 (Heap buffer overflow in GPU in Google Chrome prior to 146.0.7680.178 a ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5274 (Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 al ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5275 (Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 146.0.7 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5276 (Insufficient policy enforcement in WebUSB in Google Chrome prior to 14 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5277 (Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5278 (Use after free in Web MIDI in Google Chrome on Android prior to 146.0. ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5279 (Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allow ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5280 (Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 a ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5281 (Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowe ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5282 (Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.1 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5283 (Inappropriate implementation in ANGLE in Google Chrome prior to 146.0. ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5284 (Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowe ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5285 (Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allow ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5286 (Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowe ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5287 (Use after free in PDF in Google Chrome prior to 146.0.7680.178 allowed ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5288 (Use after free in WebView in Google Chrome on Android prior to 146.0.7 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5289 (Use after free in Navigation in Google Chrome prior to 146.0.7680.178 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5290 (Use after free in Compositing in Google Chrome prior to 146.0.7680.178 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5291 (Inappropriate implementation in WebGL in Google Chrome prior to 146.0. ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-5292 (Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.1 ...)
+ {DSA-6192-1}
- chromium 146.0.7680.177-1
[bullseye] - chromium <end-of-life> (see #1061268)
CVE-2026-34743 (XZ Utils provide a general-purpose data-compression library plus comma ...)
@@ -2127,7 +2250,8 @@ CVE-2026-33691 (The OWASP core rule set (CRS) is a set of generic attack detecti
[trixie] - modsecurity-crs <no-dsa> (Minor issue)
[bookworm] - modsecurity-crs <no-dsa> (Minor issue)
NOTE: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-rw5f-9w43-gv2w
-CVE-2026-35536 [Incomplete validation of cookie attributes]
+CVE-2026-35536 (In Tornado before 6.5.5, cookie attribute injection could occur becaus ...)
+ {DLA-4520-1}
- python-tornado 6.5.5-1 (bug #1132367)
NOTE: https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
NOTE: Fixed by: https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 (v6.5.5)
@@ -848060,7 +848184,7 @@ CVE-2012-0060 (RPM before 4.9.1.3 does not properly validate region tags, which
{DLA-140-1}
- rpm 4.9.1.3-1 (bug #667031)
[squeeze] - rpm <no-dsa> (Minor issue)
-CVE-2012-0059 (Spacewalk-backend in Red Hat Network (RHN) Satellite and Proxy 5.4 inc ...)
+CVE-2012-0059 (A flaw was found in Spacewalk-backend. This information disclosure vul ...)
NOT-FOR-US: RHN Satellite
CVE-2012-0058 (The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3 ...)
- linux-2.6 3.2.2-1
@@ -852298,7 +852422,7 @@ CVE-2011-3346 (Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU b
[squeeze] - qemu-kvm <no-dsa> (SCSI support in 0.12 generally broken, no complete fix other than updating to 0.15)
CVE-2011-3345 (ulp/sdp/sdp_proc.c in the ib_sdp module (aka ib_sdp.ko) in the ofa_ker ...)
- ofa-kernel <itp> (bug #541849)
-CVE-2011-3344 (Cross-site scripting (XSS) vulnerability in the Lookup Login/Password ...)
+CVE-2011-3344 (A flaw was found in Spacewalk. A remote attacker can exploit a cross-s ...)
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-3343 (Multiple buffer overflows in OpenTTD before 1.1.3 allow local users to ...)
{DSA-2386-1}
@@ -853592,7 +853716,7 @@ CVE-2011-2929 (The template selection functionality in actionpack/lib/action_vie
CVE-2011-2928 (The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kerne ...)
{DSA-2310-1 DSA-2303-1}
- linux-2.6 3.0.0-2
-CVE-2011-2927 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, ...)
+CVE-2011-2927 (A flaw was found in Spacewalk and Red Hat Network Satellite. This vuln ...)
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2926
REJECTED
@@ -853608,7 +853732,7 @@ CVE-2011-2922 (ktsuss versions 1.4 and prior spawns the GTK interface to run as
- ktsuss <removed>
CVE-2011-2921 (ktsuss versions 1.4 and prior has the uid set to root and does not dro ...)
- ktsuss <removed>
-CVE-2011-2920 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6, ...)
+CVE-2011-2920 (A flaw was found in Spacewalk and Red Hat Network Satellite. This cros ...)
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2919 (Cross-site scripting (XSS) vulnerability in Spacewalk 1.6, as used in ...)
NOT-FOR-US: Red Hat Network Satellite server
@@ -857221,7 +857345,7 @@ CVE-2011-1595 (Directory traversal vulnerability in the disk_create function in
- rdesktop 1.7.0-1 (low; bug #623552)
[squeeze] - rdesktop <no-dsa> (Minor issue)
[lenny] - rdesktop <no-dsa> (Minor issue)
-CVE-2011-1594 (Open redirect vulnerability in Spacewalk 1.6, as used in Red Hat Netwo ...)
+CVE-2011-1594 (A flaw was found in Spacewalk, as used in Red Hat Network Satellite. T ...)
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-1593 (Multiple integer overflows in the next_pidmap function in kernel/pid.c ...)
{DSA-2264-1 DSA-2240-1}
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f5c533451584e931d796a3e0f574b3d31ffc49c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f5c533451584e931d796a3e0f574b3d31ffc49c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260403/c884068a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list